The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section.
Intrusion detection systems are usually configured to monitor network traffic and detect anomalies occurring in networks. An intrusion detection system may detect an anomaly in a network when the system determines that a pattern of the monitored traffic appears to be suspicious or matches a signature of a known attack on the network.
Network traffic patterns are usually described using lists of features, and each list may contain thousands of feature items. Because the difference between a suspicious pattern and a normal pattern usually amounts to a small difference in the feature lists, determining which features indeed indicate suspicious patterns may be difficult. Furthermore, in some situations, if the features are evaluated individually, they do not indicate any suspicious pattern; however, if the same features are evaluated in certain combinations, they may indicate suspicious patterns. Hence, determining whether a pattern is suspicious may involve testing not only the individual features, but also a multitude of the features' combinations.
Network intrusion detection systems are usually implemented using several processing layers, and output from one processing layer may serve as input to other processing layers. Every layer may include several anomaly detectors, and outputs from the detectors may be aggregated. Furthermore, individual detectors may use non-linear scales and grading functions. Therefore, outputs produced by the multi-layer intrusion detection systems are often complex and difficult to analyze.